Sun Microsystems, Inc.  Sun System Handbook - ISO 4.1 October 2012 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1020965.1
Update Date:2012-04-26
Keywords:
Solution Type  Technical Instruction Sure

Solution  1020965.1 :   KMS - How to Check When KMS Firewall tcp Ports Are Open  

Related Items 
    

  • Sun StorageTek Crypto Key Management System
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>TAPE>Backup Software-Filesystems>SN-TP: Encryption
    •  
  • .Old GCS Categories>Sun Microsystems>Storage Software>Data Protection Software - Tape
    •  

PreviouslyPublishedAs
268168 


Applies to: 

Sun StorageTek Crypto Key Management System - Version Not Applicable and later
All Platforms

Checked for relevance on 2-Nov-2011.







Goal


ow to check KMS firewall tcp ports are open. 


Fix


The following are the tcp/ip ports that KMS needs open.



22 TCP Listening SSH (only when Technical Support is enabled)

53 TCP/UDP Connecting DNS (only when KMA is configured to use DNS)

68 UDP Connecting DHCP (only when KMA is configured to use DHCP)

123 TCP/UDP Listening NTP

161 UDP Connecting SNMP (only when SNMP Managers are defined)

3331 HTTP over TCP Listening KMS CA Service (KMA-to-KMA, Agent-to-KMA, Manager-to-KMA)

3332 HTTPS (TLS) over TCP Listening KMS Certificate Service (KMA-to-KMA, Agent-to-KMA, Manager-to-KMA)

3333 HTTPS (TLS) over TCP Listening KMS Management Service (Manager-to-KMA)

3334 HTTPS (TLS) over TCP Listening KMS Agent Service (Agent-to-KMA)

3335 HTTPS (TLS) over TCP Listening KMS Discovery Service (Agent-to-KMA, Manager-to-KMA)

3336 HTTPS (TLS) over TCP Listening KMS Replication Service (KMA-to-KMA) 





Steps to Follow

How to check KMA ports are open on firewall.

Open web browser.



https://172.20.151.25:3332/?wsdl



https://172.20.151.25:3333/?wsdl 



https://172.20.151.25:3334/?wsdl 



https://172.20.151.25:3335/?wsdl



https://172.20.151.25:3336/?wsdl



http://172.20.151.25:3331/?wsdl



The following message appears when opening up the links above:

===============================

This Connection is Untrusted

You have asked Firefox to connect

securely to 172.20.151.25:3332, but we can't confirm that your connection is secure.

Normally, when you try to connect securely,

sites will present trusted identification to prove that you are

going to the right place. However, this site's identity can't be verified.

      What Should I Do?

If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue.



Technical Details



172.20.151.25:3332 uses an invalid security certificate.



The certificate is not trusted because the issuer certificate is not trusted.

The certificate is only valid for kma1



(Error code: sec_error_untrusted_issuer)



I Understand the Risks

==============================

This is the message you should get if the KMA port is responding, so firewall is not blocking the ports. 

==============================



If these ports 3332-3336 are open the browser will present your output confirming that the browser has established a connection to these ports on the server and give message certificate is not valid.



Port 3331 uses http, the output for port 3331 is just some html code that is returned, see below output.

If it is unable to communicate the browser will timeout communicating or give page not found.



HTML display of good communication response from KMA

This XML file does not appear to have any style information associated with it. The document tree is shown below.



-

"http://schemas.xmlsoap.org/soap/encoding/">

SOAP-ENV:Client

HTTP GET method not implemented

















Attachments

This solution has no attachment


















       

Copyright © 2012 Sun Microsystems, Inc.  All rights reserved.

 Feedback